b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                       Access Controls for the Automated\n                     Insolvency System Need Improvement\n\n\n\n                                           May 16, 2011\n\n                              Reference Number: 2011-20-046\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Redaction Legend:\n 1 = Tax Return/Return Information\n 3(d) = Identifying Information\n\n\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                    HIGHLIGHTS\n\n\nACCESS CONTROLS FOR THE                                 prevent and detect unauthorized activities. The\nAUTOMATED INSOLVENCY SYSTEM                             second reason is due to the inadequate\nNEED IMPROVEMENT                                        role-based access control scheme that was\n                                                        developed for the AIS. The inadequate access\n                                                        control scheme causes managers to\nHighlights                                              inadvertently grant unneeded, excessive AIS\n                                                        privileges to employees.\nFinal Report issued on May 16, 2011                     TIGTA also found IRS managers and user\n                                                        administrators were not following the\nHighlights of Reference Number: 2011-20-046             requirement to use the Online 5081 system to\nto the Internal Revenue Service Commissioner            authorize and revoke access to the AIS. In\nfor the Small Business/Self-Employed Division           addition, some significant actions taken on\nand the Chief Technology Officer.                       bankruptcy cases are not logged and reported in\n                                                        the AIS Manager Review screen to allow\nIMPACT ON TAXPAYERS                                     managers to detect errors and inappropriate\nBankruptcy petitions filed in Federal courts were       activities.\nup 32 percent in Calendar Year 2009 compared\n                                                        WHAT TIGTA RECOMMENDED\nto Calendar Year 2008. The Internal Revenue\nService (IRS) receives notification of a                TIGTA recommended that the Directors,\nbankruptcy case because taxpayers are                   Collection Policy, Campus Filing and Payment\nrequired to list their creditors and liabilities when   Compliance, and Advisory, Insolvency, and\nfiling for bankruptcy protection. The IRS inputs        Quality, Small Business/Self-Employed Division,\nthe taxpayers\xe2\x80\x99 sensitive information into its           1) identify incompatible duties and implement\nAutomated Insolvency System (AIS) to track the          policies to segregate those duties; 2) issue a\nlegal requirements for dealing with the                 memorandum to Insolvency office managers\ntaxpayers and to protect the Government\xe2\x80\x99s               requiring them to adhere to the new policy when\nfinancial interest. Unauthorized access to the          assigning duties and approving AIS access\nAIS could jeopardize taxpayers\xe2\x80\x99 legal rights.           rights; 3) define and document user\n                                                        requirements for the AIS based on employee job\nWHY TIGTA DID THE AUDIT                                 functions and position descriptions and submit\nThis audit was initiated because the Small              these requirements to the Applications\nBusiness/Self-Employed Division requested               Development office in a formal work request;\nthat TIGTA review the AIS access controls.              and 4) issue a memorandum to managers\nThe objective of the review was to determine            emphasizing the requirement to use the Online\nwhether the IRS implemented access controls             5081 system to authorize, revoke, and review\nfor the AIS to protect taxpayers\xe2\x80\x99 personal data         employees\xe2\x80\x99 AIS access authorizations.\nand to ensure the Government\xe2\x80\x99s interest is              TIGTA also recommended that the Associate\nprotected when taxpayers file for bankruptcy.           Chief Information Officer, Applications\nWHAT TIGTA FOUND                                        Development, 1) ensure application developers\n                                                        have read-only access to the AIS, 2) develop\nAlthough some AIS access controls are in                software to systemically create and assign\nplace, such as the automatic lockout control            passwords for new AIS users, and 3) create a\nand password complexity settings, other                 role-based access control scheme for the AIS.\nrequired access controls have not been\nimplemented or are not operating effectively.           The IRS agreed with the recommendations and\n                                                        stated it had already taken two corrective\nTIGTA found many IRS employees have                     actions. The IRS initiated a work request to\nexcessive privileges on the AIS. The excessive          develop a self-service password reset and auto\nprivileges are due to two primary reasons. First,       generation feature for the AIS, and the User\nmanagers did not ensure duties were                     Administrator privilege was removed from the\nadequately segregated among employees to                Developer privilege level.\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                            May 16, 2011\n\n\n MEMORANDUM FOR COMMISSIONER, SMALL BUSINESS/SELF-EMPLOYED\n                DIVISION\n                CHIEF TECHNOLOGY OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Access Controls for the Automated Insolvency\n                             System Need Improvement (Audit # 201020022)\n\n This report presents the results of our review of the Automated Insolvency System. The overall\n objective of this review was to determine whether the Internal Revenue Service (IRS)\n implemented access controls for the Automated Insolvency System to protect taxpayers\xe2\x80\x99\n personal data and to ensure the Government\xe2\x80\x99s interest is protected when taxpayers file for\n bankruptcy. This review was requested by the IRS\xe2\x80\x99s Small Business/Self-Employed Division\n and was included in the Treasury Inspector General for Tax Administration Fiscal Year 2010\n Annual Audit Plan. This review addresses the major management challenge of Security of the\n IRS.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix VI.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or\n Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\n Services), at (202) 622-5894.\n\x0c                                               Access Controls for the Automated\n                                             Insolvency System Need Improvement\n\n\n\n\n                                              Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          Some Access Controls Have Been Implemented to Protect\n          Taxpayers\xe2\x80\x99 Data and the Government\xe2\x80\x99s Interest in\n          Bankruptcy Petitions ..................................................................................... Page 4\n          Employees Have Excessive Privileges on the Automated\n          Insolvency System ........................................................................................ Page 4\n                    Recommendations 1 and 2: .............................................. Page 11\n\n                    Recommendations 3 and 4: .............................................. Page 12\n\n          The Online 5081 System Is Not Used to Authorize and Revoke\n          Access to the Automated Insolvency System ............................................... Page 12\n                    Recommendation 5: .................................................................. Page 15\n\n          Significant Automated Insolvency System Actions Taken on\n          Bankruptcy Cases Are Not Logged and Reported in the\n          Manager Review Screen ............................................................................... Page 15\n                    Recommendation 6:........................................................ Page 16\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 17\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 20\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 21\n          Appendix IV \xe2\x80\x93 Excessive Privileges............................................................. Page 22\n          Appendix V \xe2\x80\x93 Glossary of Terms ................................................................. Page 24\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 26\n\x0c            Access Controls for the Automated\n          Insolvency System Need Improvement\n\n\n\n\n              Abbreviations\n\nAIS     Automated Insolvency System\nENS     Electronic Notice System\nIRS     Internal Revenue Service\nMITS    Modernization and Information Technology Services\nSB/SE   Small Business/Self-Employed\n\x0c                                       Access Controls for the Automated\n                                     Insolvency System Need Improvement\n\n\n\n\n                                           Background\n\nBankruptcy petitions filed in Federal courts were up 32 percent in Calendar Year 2009 compared\nto Calendar Year 2008.1 This increase followed a 29 percent increase in bankruptcies from\nCalendar Year 2007 to Calendar Year 2008. If a bankruptcy petitioner has unpaid Federal taxes,\nthe Internal Revenue Service (IRS) will receive notification of a bankruptcy petition from 1 of\n86 Federal bankruptcy courts around the Nation because the taxpayer is required to list all\nliabilities when filing for bankruptcy protection. The IRS inputs the bankruptcy information into\nits Automated Insolvency System (AIS), which is the primary system used to protect the\nGovernment\xe2\x80\x99s financial interest in the bankruptcy case and the taxpayer\xe2\x80\x99s legal rights.\nThe AIS processes, stores, and transmits taxpayers\xe2\x80\x99 Personally Identifiable Information as well\nas their tax and financial data. It also interfaces with other bankruptcy subsystems and\nprocesses. Examples include:\n    \xe2\x80\xa2   The Insolvency Interface Program is a subsystem that automates the transfer of AIS data\n        to and from the Integrated Data Retrieval System2 and, when necessary, prevents other\n        IRS systems from sending collection notices to taxpayers.\n    \xe2\x80\xa2   The Automated Discharge System is a subsystem that accesses Integrated Data Retrieval\n        System information and takes the appropriate actions to discharge and close the cases.\n    \xe2\x80\xa2   The Automated Proof of Claim System is a subsystem to prepare a Proof of Claim\n        document detailing the Government\xe2\x80\x99s interest in the bankruptcy case.\n    \xe2\x80\xa2   The Electronic Notice System (ENS) is a process that transfers new bankruptcy case\n        information from United States Bankruptcy Courts into the AIS. The ENS notice informs\n        the IRS that a taxpayer with a Federal tax liability has entered into a bankruptcy\n        proceeding.\nThe Small Business/Self-Employed (SB/SE) Division\xe2\x80\x99s Collection Policy office owns the AIS\nand establishes and oversees policy for the Insolvency program. This program includes\napproximately 1,160 employees whose AIS access privileges and levels should be assigned\nbased on their job responsibilities. For example, employees in the Centralized Insolvency\nOperation office3 are given access privileges on the AIS that allow them to 1) add, update, and\nclose bankruptcy cases on the system; 2) resolve upfront processing issues such as potentially\n\n\n1\n  Figures obtained from the Administrative Office of the United States Courts.\n2\n  See Appendix V for a glossary of terms.\n3\n  The SB/SE Division\xe2\x80\x99s Centralized Insolvency Operation office is part of the Campus Compliance Services\xe2\x80\x99 Filing\nand Payment Compliance office.\n                                                                                                         Page 1\n\x0c                                     Access Controls for the Automated\n                                   Insolvency System Need Improvement\n\n\n\ninvalid Taxpayer Identification Numbers; and 3) identify collection activity that could violate\nBankruptcy code provisions.\nOther bankruptcy cases with complex issues are referred to Field Insolvency office employees,\nwho are located in nine Territories throughout the country and are part of the Collection\nfunction\xe2\x80\x99s Advisory, Insolvency, and Quality program. These employees prepare the Proof of\nClaim, which is filed with the court to protect the Government\xe2\x80\x99s financial interest, and ensure\ntaxpayers accurately list assets in their bankruptcy schedules.\nIn addition to the Insolvency program employees who access the AIS, approximately\n340 non-Insolvency program employees use the system. These employees work in business\nunits such as the Office of Appeals, Taxpayer Advocate, and Examination functions and\nprimarily need view-only access.\nIn November 2008, the Modernization and Information Technology Services (MITS)\norganization Applications Development office upgraded the AIS from 34 Informix databases to a\ncentralized Oracle database. The upgrade increased the AIS users\xe2\x80\x99 access to all bankruptcy data\nacross the Nation, a capability needed by many managers and employees we interviewed.\nLike its other systems that process or store sensitive data, the IRS must comply with Federal\nlegislation and IRS procedures that require taxpayer\ninformation to be protected from malicious actions and               Access controls must be\ninadvertent modification. In addition, the Federal                  implemented for computer\nGovernment has long recognized that the greatest harm to          systems based on the concept\ncomputer systems has come from authorized individuals                of \xe2\x80\x9cleast privilege,\xe2\x80\x9d which\n                                                                 requires employees be given the\nengaged in improper activities, whether intentional or              minimum access privileges\naccidental.4 Insider threats are often disgruntled                needed to perform their duties.\nemployees who believe the business or agency has\ntreated them unfairly and feel justified in taking\nmalicious actions. To minimize these threats, the IRS\nrequires access controls be implemented for its computer systems to prevent, limit, and detect\nunauthorized access. For example, IRS procedures require access to systems be based on the\nconcept of \xe2\x80\x9cleast privilege.\xe2\x80\x9d\nThe Commissioner, SB/SE Division, requested the Treasury Inspector General for Tax\nAdministration review the access controls for the AIS in Fiscal Year 2010. We focused our\nreview on the access controls that were implemented to protect the privacy of taxpayer\xe2\x80\x99s data\nand reduce the potential for system exploitation. The review was performed at the IRS\xe2\x80\x99s\nCentralized Insolvency Operation office in the Campus office in Philadelphia, Pennsylvania; the\nField Insolvency offices in Dallas, Texas, and Oakland, California; the MITS organization\xe2\x80\x99s\n\n\n4\n Office of Management and Budget Circular A-130, Management of Federal Information Resources,\nAppendix III \xe2\x80\x93 Security of Federal Automated Information Resources, November 28, 2000.\n                                                                                                Page 2\n\x0c                                 Access Controls for the Automated\n                               Insolvency System Need Improvement\n\n\n\nApplications Development office in Indianapolis, Indiana; the Computing Center in\nMemphis, Tennessee; and the SB/SE Division Headquarters in New Carrollton, Maryland,\nduring the period March through October 2010. We conducted this performance audit in\naccordance with generally accepted government auditing standards. Those standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objective. We believe the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjective. Detailed information on our audit objective, scope, and methodology is presented in\nAppendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                         Page 3\n\x0c                                  Access Controls for the Automated\n                                Insolvency System Need Improvement\n\n\n\n\n                                Results of Review\n\nSome Access Controls Have Been Implemented to Protect Taxpayers\xe2\x80\x99\nData and the Government\xe2\x80\x99s Interest in Bankruptcy Petitions\nThe IRS established some access controls in the AIS to protect the taxpayers\xe2\x80\x99 data and the\nGovernment\xe2\x80\x99s interest in bankruptcy cases. Examples include:\n   \xe2\x80\xa2   A system automatic lockout control disables an AIS user\xe2\x80\x99s account after three\n       unsuccessful login attempts. This control prevents a hacker from repeatedly trying to\n       guess a user\xe2\x80\x99s password.\n   \xe2\x80\xa2   The password settings comply with the IRS\xe2\x80\x99s password complexity requirements.\n   \xe2\x80\xa2   The system displays the required banner to warn unauthorized users that the system is for\n       authorized users only.\n   \xe2\x80\xa2   Direct access to the Oracle database, which is part of the AIS, has been properly\n       restricted. Only the database administrators have direct access to the database.\nIn addition, the Centralized Insolvency Operation office implemented a control to detect\nimproper ENS notice deletions. The control requires a Centralized Insolvency Operation office\nmanager to manually review all ENS notice deletions to ensure the deletions were warranted.\nAlthough this detective control improves security and our tests found no improper deletions, the\ncontrol is labor intensive. The recommendations in this report will limit employee access to the\nENS, prevent unauthorized employees from deleting ENS notices, and eliminate the need for this\nlabor-intensive control.\nAlthough some access controls are in place, we found other access controls have not been\nimplemented or are not operating effectively.\n\nEmployees Have Excessive Privileges on the Automated Insolvency\nSystem\nEmployees have excessive privileges on the AIS due to two primary reasons. First, managers\ndid not ensure duties were adequately segregated among employees to prevent and detect\nunauthorized activities. We found duties assigned to employees that cause a conflict of interest\nand violate the IRS\xe2\x80\x99s security requirement to ensure duties are adequately segregated among\ndifferent employees to detect errors and fraud.\n\n\n                                                                                             Page 4\n\x0c                                     Access Controls for the Automated\n                                   Insolvency System Need Improvement\n\n\n\nThe second reason for employees\xe2\x80\x99 excessive AIS privileges is due to the inadequate role-based\naccess control scheme that was developed for the AIS, which is presented in Figure 1. The IRS\ncreated the same four general access levels used in the previous Informix-based AIS and four\nnew special access levels when it converted the system into its Oracle-based version.\nWe did not find errors or indications of fraud during our review. However, the excessive\nprivileges on the AIS increase the risks that errors, fraud, or unauthorized activities could be\nperformed by employees acting alone or in collusion with other employees.\n               Figure 1: General Access Levels and Special Access Levels\n\n        General\n                                                          Privileges\n        Access\n\n     Level 1             Users can 1) query and view the case data; 2) update and delete case\n                         data; 3) perform bulk processes such as printing notices and letters to\n                         taxpayers; 4) assign cases to employees; 5) view most AIS reports; 6) use\n                         support menus to view information such as the attorney/trustee data,\n                         employee data, and interest rates; and 7) access the ENS.\n\n     Level 2             Users can 1) query and view the case data, 2) update and delete case\n                         data, 3) perform bulk processes such as printing notices and letters to\n                         taxpayers, 4) view some AIS reports, and 5) access the ENS.\n\n     Level 3             Users can 1) query and view the case data, 2) update and delete case\n                         data, 3) access some reports, and 4) access the ENS.\n\n     Level 4             Users can query and view the case information.\n\n         Special\n                                                          Privileges\n         Access\n\n     Manager             Users can 1) view and print Manager reports, 2) access the Manager\n                         Support Menu to modify attorney/trustee data and employee data and\n                         perform bulk case assignments to employees, and 3) view the Manager\n                         Review screen to identify case actions taken by employees.\n\n     Analyst             Users can update and delete data in the support tables, such as the\n                         interest rates charged to delinquent tax debts.\n\n     User                Users can add new users to the system, assign privileges, unlock user\n     Administrator       access accounts, and create passwords.\n\n     Developer           Users can view a menu with 17 options to diagnose interface problems the\n                         AIS encounters with other systems. One of the options allows the user to\n                         add users to the AIS and assign privileges.\n\n  Source: AIS User Guide and Centralized Insolvency Operation office Senior Technical Advisor.\n\n                                                                                                   Page 5\n\x0c                                        Access Controls for the Automated\n                                      Insolvency System Need Improvement\n\n\n\nDuties are not adequately separated among employees to prevent and detect\nunauthorized activities\nThe National Institute for Standards and Technology5 recommends, and IRS procedures require,\nthat duties be adequately separated among employees to ensure no employee has the authority\nand system privilege to disrupt or corrupt a security process or computer system. However,\nsome IRS officials assign additional duties to managers and employees that, when combined\nwith the manager or employee\xe2\x80\x99s official duties and AIS privileges, violate the separation of\nduties requirement and increase the risks of errors or fraud. Examples include:\n    \xe2\x80\xa2    Twelve Field Insolvency office managers whose duties include authorizing their\n         employees\xe2\x80\x99 AIS access accounts using the Online 5081 (OL5081) system6 were assigned\n         the collateral duties of adding users to the system, enabling privileges, unlocking users\xe2\x80\x99\n         access accounts, and changing employees\xe2\x80\x99 privileges when the employees are\n         temporarily promoted or transferred to another position. The User Administrator\n         privileges that the managers gained to perform these duties violate the IRS\xe2\x80\x99s separation\n         of duties policy. The critical security processes of authorizing and enabling access to a\n         system must be separated among different employees to reduce the risk of errors and\n         fraud. Field Insolvency office officials assigned these incompatible duties to a few\n         managers in each Territory for the convenience of having a local user administrator.\n    \xe2\x80\xa2    Field Insolvency office secretaries are responsible for performing administrative tasks,\n         such as printing forms and letters to taxpayers and printing reports for managers.\n         However, 3 of the 63 Field Insolvency office secretaries had the User Administrator\n         privilege level because managers wanted the secretaries to unlock users\xe2\x80\x99 passwords. The\n         security process of unlocking passwords is the responsibility of a trained user\n         administrator and these highly sensitive privileges should be restricted to only a few\n         employees.\n    \xe2\x80\xa2    Field bankruptcy specialists work the bankruptcy cases assigned to them and represent\n         the IRS in court. They are responsible for updating bankruptcy case information in the\n         AIS, including the payment history. To perform these duties, the specialists need Access\n         Level 2. However, we found four specialists were assigned duties that required the User\n         Administrator privileges, which allow the specialists to create new users and assign\n         privileges to the users. Specialists should not be assigned User Administrator duties\n         because the specialist could assign excessive privileges to employees or create phantom\n         users and then login as the phantom user to perform malicious actions in the AIS.\n\n\n\n5\n  National Institute for Standards and Technology Special Publication 800-53, Recommended Security Controls for\nFederal Information Systems and Organizations, Revision 3.\n6\n  The OL5081 is the official IRS system for requesting the establishment or cancellation of user accounts on all IRS\nsystems.\n                                                                                                            Page 6\n\x0c                                       Access Controls for the Automated\n                                     Insolvency System Need Improvement\n\n\n\n      \xe2\x80\xa2   114 employees had the AIS privilege to grant other users access to 2 AIS subsystems, the\n          Insolvency Interface Program and the Automated Discharge System. These employees\n          included Field bankruptcy specialists, revenue officers, Centralized Insolvency Operation\n          office clerks, and policy analysts. Although these employees would first have to be\n          granted access from the subsystem\xe2\x80\x99s system administrator, the duty of assigning access\n          privileges should not be given to these types of employees because they have other duties\n          and AIS privileges that pose a conflict of interest. Further, the duty of assigning access\n          privileges should be given only to user administrators.\n      \xe2\x80\xa2   The official duties of the system analyst in the Centralized Insolvency Operation office\n          are to help employees and managers that incur problems with the AIS application and\n          assign case inventory to managers. To perform these duties, the system analyst needs\n          Access Level 1 and Manager privileges. However, this employee was also assigned the\n          additional duties of adding new users to the AIS and changing users\xe2\x80\x99 privileges when\n          employees separate from the IRS or change job functions. These additional duties\n          require the system analyst to have the User Administrator privileges which, when\n          combined with his or her Access Level 1 and Manager privileges, violates the IRS\xe2\x80\x99s\n          separation of duties policy. The system analyst can update and delete case information\n          including ENS notices, access Manager Reports, change key case information using the\n          Manager privileges, add new users, assign privileges, and assign passwords. IRS\n          procedures state that a user administrator shall have no more capability than appropriate\n          to establish a user on a system or to establish a user within an application.\nThe Government Accountability Office\xe2\x80\x99s internal control standards for Government agencies7\nrequire agencies to identify incompatible duties and implement policies to segregate those duties.\nHowever, the IRS has not completed these critical actions for Centralized Insolvency Operation\noffice or Field Insolvency office employees. We believe most managers assigned employees the\npreviously noted incompatible duties because they were unaware of the separation of duties\nrequirement and which key duties should be segregated. Nine of the 10 managers we\ninterviewed indicated they believe secretaries should have the same privileges as managers. In\naddition, 3 of the 10 managers were unaware of their employees\xe2\x80\x99 AIS privileges.\nAlthough the IRS has not identified incompatible duties for its Insolvency program employees,\nthe IRS has completed this identification for application developers in the MITS organization.\nIRS procedures require application developers be given read-only access on the production\nsystem and should not have duties or privileges that would allow them to alter a production\nsystem. This requirement is due to their detailed knowledge of the system\xe2\x80\x99s security\nvulnerabilities and to ensure configuration changes to the system are approved and controlled.\nApplication developers are responsible for developing and testing system changes in the\ndevelopment environment. Other employees in the MITS organization Enterprise Operations\n\n7\n    Standards for Internal Controls in the Federal Government, (GAO/AIMD-00-21.3.1, November 1999).\n                                                                                                      Page 7\n\x0c                                  Access Controls for the Automated\n                                Insolvency System Need Improvement\n\n\n\noffice are responsible for implementing the changes on the production system. However, we\nfound 11 AIS application developers were assigned duties on the production system and had\nexcessive privileges.\n   \xe2\x80\xa2   The AIS Applications Development office manager informed us that 3 of the\n       11 developers do not need access to the AIS. The developers were given these privileges\n       to help convert users to the new Oracle-based system. However, after the users were\n       converted, the access privileges for the three application developers were not revoked.\n   \xe2\x80\xa2   We determined most privileges included in the special Developer privilege level allow\n       the developer read-only access to diagnose and troubleshoot interface problems that the\n       AIS encounters with other systems. However, the eight developers who were assigned\n       troubleshooting duties also had Access Level 1 and Manager privileges, which exceeded\n       necessary read-only capabilities.\n   \xe2\x80\xa2   Five of the 11 developers were also given User Administrator privileges that allow them\n       to add users to the AIS, elevate users\xe2\x80\x99 privileges, and perform other powerful activities on\n       the production AIS.\nThe AIS Applications Development office manager requested developers be given Access\nLevel 1, Manager, and the User Administrator privileges to ensure they had all privileges\nnecessary to troubleshoot users\xe2\x80\x99 problems with the system. The live data in the production AIS\ncould not be replicated in the development and test environment to which the developers were\nlimited. In addition, the AIS application developers informed us that other technical employees\nin the MITS organization, such as the systems administrators and database administrators, do not\nhave sufficient AIS knowledge to troubleshoot and diagnose the AIS\xe2\x80\x99s interface problems.\nAssigning employees duties that should be segregated among different employees increases the\nsecurity risks and could lead to errors or malicious activities. Users can manipulate case data for\ntheir own personal gain or erroneously alter information that affects the IRS\xe2\x80\x99s ability to protect\nthe Government\xe2\x80\x99s interest in bankruptcy cases.\n\nA role-based access control scheme was not adequately implemented for the AIS\nIRS procedures require access privileges to a system be based on a role-based access control\nscheme. This security requirement allows the IRS to create system roles for various job\nfunctions such as Field bankruptcy specialist and Field Insolvency office secretary. The\nprivileges needed to perform the jobs should be assigned to the roles based on the concept of\n\xe2\x80\x9cleast privilege.\xe2\x80\x9d User administrators should then assign the appropriate role to the\nemployee/user. A role-based access control scheme aligns employees\xe2\x80\x99 duties with system\nprivileges and helps prevent errors and fraud.\nWe identified approximately 22 different job functions in the Centralized Insolvency Operation\noffice and Field Insolvency offices. However, the AIS Applications Development office created\n\n                                                                                            Page 8\n\x0c                                 Access Controls for the Automated\n                               Insolvency System Need Improvement\n\n\n\nonly four general access levels and four special privilege levels for the AIS, as presented\npreviously in Figure 1. This access control scheme does not adequately allow managers to align\nusers\xe2\x80\x99 job duties with their AIS privileges and causes managers to inadvertently grant unneeded,\nexcessive privileges to employees. The following are examples of excessive privileges gained\nby some employees. Additional examples are summarized in Appendix IV.\n   \xe2\x80\xa2   Bankruptcy specialists in the Centralized Insolvency Operation office\xe2\x80\x99s Operations\n       Support group investigate and assign a petitioning taxpayer\xe2\x80\x99s tax obligations to the\n       non-petitioning spouse, when applicable. These employees also need the ability to view\n       and change case information and determine which employee took which specific actions\n       on a case. To perform these duties, the bankruptcy specialist needs Access Level 1 and\n       Manager privileges. However, along with the needed privileges in Access Level 1, this\n       access level gives the specialists unneeded, excessive privileges, such as the ability to\n       perform bulk processes (e.g., printing notices and letters to taxpayers), change taxpayer\n       payment data using the Payments screen, and delete ENS bankruptcy notices. The\n       specialist also gains unneeded Manager privileges such as the capability to change the\n       employee data and perform bulk case assignments.\n   \xe2\x80\xa2   The Automated Processing Control Lead employees in the Centralized Insolvency\n       Operations office need Access Level 1 and Manager privileges to reassign cases using the\n       Case Assignment Guide, delete ENS notices, and review their group\xe2\x80\x99s work using the\n       Manager Review screen. However, these employees also gain unneeded privileges with\n       Access Level 1, such as access privileges to the Payments screen and bulk processes.\n       They also gain unneeded access with their Manager privileges such as the capability to\n       change attorney/trustee data and employee data.\n   \xe2\x80\xa2   Managers\xe2\x80\x99 responsibilities include reviewing their employees\xe2\x80\x99 work on the AIS,\n       modifying the case grade and proof required fields, accessing and printing manager\n       reports, and authorizing employees\xe2\x80\x99 AIS access using the OL5081 system. However, the\n       Manager privileges also include the privilege to elevate the access levels of AIS users,\n       including their own access level. The privilege to modify the access level of a user\n       should not be included in the Manager privileges because it conflicts with the managers\xe2\x80\x99\n       duty to authorize users\xe2\x80\x99 access to the system. This privilege to modify users\xe2\x80\x99 access\n       privileges should be granted to user administrators.\n   \xe2\x80\xa2   Field Insolvency office secretaries are responsible for administrative tasks such as\n       printing forms and letters to taxpayers and printing reports for managers. However, 52 of\n       the 63 secretaries had access to the AIS\xe2\x80\x99s Automated Proof of Claim subsystem. Five of\n       the eight managers we interviewed stated they wanted the secretary to print reports from\n       this subsystem. The Program Analyst for the Automated Proof of Claim subsystem\n       confirmed that printing reports is the most common reason for granting secretaries\n       access. However, the employees also gained the excessive privilege to modify the data in\n       the system. Modifying case information is the job of a trained Insolvency employee,\n                                                                                          Page 9\n\x0c                                 Access Controls for the Automated\n                               Insolvency System Need Improvement\n\n\n\n       such as a Field bankruptcy specialist. The secretaries could purposely or erroneously\n       change the Proof of Claim data.\n   \xe2\x80\xa2   The User Administrator privileges include the right to create a password for a new access\n       account. This right makes the User Administrator privilege level a significant security\n       risk because user administrators have the capability not only to create an access account\n       and assign high-level privileges, but also to create a password for the new account. The\n       user administrator could create an account and password and then use the password to\n       login to the AIS and perform malicious actions. The duty and system privilege of\n       creating a password should be separated from the duty of creating an access account to\n       ensure no one employee has the authority and system privilege to corrupt the security\n       process of adding new users to the system. We found 30 employees have the User\n       Administrator privileges. The AIS Applications Development office was instructed by\n       the MITS organization Enterprise Operations office to create the User Administrator\n       privileges to allow the SB/SE Division employees the capability to establish new end\n       users on the system.\nThe AIS Applications Development office manager informed us that, during the 2008 AIS\nconversion process, the MITS organization Cybersecurity office directed the conversion be\ncompleted quickly and to keep the new system similar to the previous Informix-based system.\nThe AIS application developers followed this guidance by implementing the same four general\naccess controls that were used for the previous AIS and adding the four new special privilege\nlevels. The application developers also informed us they were unaware of the IRS\xe2\x80\x99s role-based\naccess control requirement.\nIn addition to any excessive privileges previously mentioned, the employees\xe2\x80\x99 excessive\nprivileges could allow them to inadvertently or maliciously modify or delete the taxpayers\xe2\x80\x99 data\nin the AIS or perform other unauthorized actions. These actions could prevent the IRS from\nprotecting the Government\xe2\x80\x99s financial interest in bankruptcy proceedings. *****3(d)********\n******************3(d)*******************************************************\n****************************************************************************\n*****************************************************************************\n***************************************************************************\n****************************************************************************\n********************3(d)************************ **********1*****************\n****************************************1**********************************\n*************************1*************** *******3(d)************************\n****************************************3(d)*********************************\n****************************************************************************\n****************************************************************.\nManagement Actions: Subsequent to completing our fieldwork, we determined changes were\nmade to the Access Level 1 and Manager privileges. Access to the Case Assignment Guide was\n\n                                                                                         Page 10\n\x0c                                 Access Controls for the Automated\n                               Insolvency System Need Improvement\n\n\n\nremoved from Access Level 1 and the right to modify users\xe2\x80\x99 access levels was removed from the\nManager privileges. We acknowledge both of these changes to the access control scheme\nimprove security. However, the AIS application developers did not provide evidence to support\nthat these alterations to the AIS were tested, approved, and made by authorized employees. IRS\nconfiguration control procedures require changes to a production system be documented and\napproved using a formal Transmittal document.\nIn addition, the IRS informed us it removed the User Administrator privilege from the Developer\nprivilege level after we completed our fieldwork. We did not verify this corrective action.\n\nRecommendations\nRecommendation 1: To ensure key duties and system privileges are adequately separated,\nthe Directors, Collection Policy, Campus Filing and Payment Compliance, and Advisory,\nInsolvency, and Quality, SB/SE Division, should 1) identify incompatible duties and implement\npolicies to segregate those duties, 2) issue a memorandum to Insolvency program managers\nrequiring them to adhere to the new policy when assigning duties and approving AIS access\nprivileges, and 3) designate a limited number of employees to perform the User Administrator\nduties. These employees should have no more capability than necessary to establish a user on\nthe AIS.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. A role-based\n       access control system is currently being developed which will define the roles of users\n       and designate specific access privileges to the users\xe2\x80\x99 defined AIS profiles. Once this\n       process is established, a memorandum will be issued to all managers requiring them to\n       adhere to the new policy regarding segregation of duties. In addition, the Collection\n       Policy office and the MITS organization are reprogramming the AIS to allow users to\n       reset their passwords as opposed to the current process in which a user administrator must\n       reset passwords. This corrective action would dramatically reduce the number of user\n       administrators needed.\nRecommendation 2: The Associate Chief Information Officer, Applications Development,\nshould 1) remove the access account of the three application developers who are not assigned\nAIS troubleshooting duties, 2) remove the Access Level 1 and Manager privileges for the eight\ndevelopers who are assigned troubleshooting duties and ensure they have only the Developer\nprivileges and read-only access, 3) remove the User Administrator privilege level for the five\ndevelopers who are assigned troubleshooting duties, and 4) develop a software product to\nsystemically create and assign passwords for new AIS users.\n       Management\xe2\x80\x99s Response: The Applications Development office generally agreed\n       with this recommendation. The Applications Development office will ensure that access\n       to the AIS is limited to personnel assigned AIS troubleshooting duties. In addition,\n       Access Level 1 and Manager privileges will be retained for the developers who are\n\n                                                                                         Page 11\n\x0c                                 Access Controls for the Automated\n                               Insolvency System Need Improvement\n\n\n\n       assigned troubleshooting duties until the role-based access control scheme is\n       implemented. These privileges must be retained as-is until a role-based access control\n       scheme is implemented which will allow the developers read-only access to these\n       processes. Otherwise, developers lose troubleshooting and maintenance capabilities for\n       these processes. The IRS will remove the User Administrator privilege level for the five\n       developers who are assigned AIS troubleshooting duties. Finally, a work request has\n       been input to request development of a self-service password reset and auto generation\n       feature for the AIS.\nRecommendation 3: The Directors, Collection Policy, Campus Filing and Payment\nCompliance, and Advisory, Insolvency, and Quality, SB/SE Division, should coordinate with the\nMITS organization Applications Development office to define and document user requirements\nfor AIS users based on employee job functions and position descriptions, such as Field\nInsolvency office secretary and Centralized Insolvency Operation office automated processing\ncontrol clerk. The new user requirements should adhere to the concept of \xe2\x80\x9cleast privilege,\xe2\x80\x9d\ninclude only those privileges needed for each employee to perform their duties, and be submitted\nto the Applications Development office in a formal work request.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. A role-based\n       access control scheme is being developed. Once this corrective action is completed, a\n       formal work request will be submitted to the MITS organization to implement the new\n       access levels.\nRecommendation 4: The Associate Chief Information Officer, Applications Development,\nshould 1) create and implement a role-based access control scheme for the AIS based on the\ndocumented user requirements defined by the Directors, Collection Policy, Campus Filing and\nPayment Compliance, and Advisory, Insolvency, and Quality, SB/SE Division, and 2) remove\nthe User Administrator privilege from the Developer privilege level.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Collection Policy office will submit a work request with documented user requirements\n       by November 15, 2011, and the Applications Development office has removed the User\n       Administrator privilege from the Developer privilege level.\n\nThe Online 5081 System Is Not Used to Authorize and Revoke Access\nto the Automated Insolvency System\nTo request, authorize, and revoke access to IRS computer systems, employees and managers are\nrequired to use the OL5081 system. The employee completes his or her access request on the\nOL5081 system, and the manager approves the request. The employees\xe2\x80\x99 approved access\nrequest is then routed to an employee with User Administrator privileges who adds the user to\nthe system. If the employee needs elevated access privileges, the manager is required to\ndocument his or her approval in the special instructions section of the employees\xe2\x80\x99 OL5081 form.\n\n                                                                                        Page 12\n\x0c                                 Access Controls for the Automated\n                               Insolvency System Need Improvement\n\n\n\nThe manager is also required to revoke an employee\xe2\x80\x99s access authorizations by updating the\nemployees\xe2\x80\x99 OL5081 form when the employee no longer needs access. The OL5081 is then\nrouted to a user administrator who disables the employee\xe2\x80\x99s access on the system.\nSome managers are not using the OL5081 system to authorize and revoke their employees\xe2\x80\x99\naccess authorizations, and some employees assigned user administrator duties are not\ndeactivating the accounts when required. Of the approximately 1,500 users with an active\naccount on the AIS, we found:\n    \xe2\x80\xa2   Fourteen employees separated from the IRS but still had an active account. For nine of\n        these employees, the managers revoked their access approval on the OL5081 system but\n        the account was not deactivated. The three user administrators we interviewed attributed\n        these unauthorized accounts to oversights on their part. Although we found these\n        14 accounts had not been used since the employees separated, the accounts still pose an\n        unnecessary risk because unauthorized individuals could exploit these accounts.\n    \xe2\x80\xa2   Managers for 18 current employees revoked their employee\xe2\x80\x99s access approval on the\n        OL5081 form but the access account was still active. Six of the seven managers we\n        interviewed informed us the employees no longer work in the Insolvency program, do\n        not need access to the AIS, and the user administrators should have deactivated the\n        employees\xe2\x80\x99 accounts. One manager stated that one of these employees still needs AIS\n        access but the manager did not use the OL5081 to reapprove the employee\xe2\x80\x99s access\n        account.\n    \xe2\x80\xa2   Sixteen of the employees\xe2\x80\x99 OL5081 forms contained no evidence that the employee had\n        ever requested or been approved to access the AIS. We interviewed seven managers for\n        seven of these employees. Five managers informed us their employee does not need AIS\n        access and one of the five managers was not sure how the employee gained access. Two\n        other managers stated that two of the employees need their current access to the AIS and\n        the failure to use the OL5081 system was due to oversights by managers.\nWe found other instances of managers and user administrators not using the OL5081 system to\nrevoke users\xe2\x80\x99 access. For 19 (18 percent) of 106 users in our sample that had an inactive\naccount, managers did not revoke access approval in the OL5081 system. The 19 employees are\nstill officially authorized to have access and could contact an employee with User Administrator\nprivileges to have their account reactivated. We attribute this issue to managers bypassing the\nOL5081 system and using informal methods to revoke their access authorizations.\nAccess authorization includes more than general access to a computer system. Authorization\nalso includes what a user can do once he or she gains access. Managers are required to approve\nthe employees\xe2\x80\x99 system privileges based on the need to know and the employees\xe2\x80\x99 assigned duties.\nThe manager must document his or her approval of the employee\xe2\x80\x99s privileges in the special\ninstructions section of the OL5081 form and review these authorizations during the annual\nOL5081 recertification process. However, of the 34 AIS users in our sample, none of their\n                                                                                        Page 13\n\x0c                                      Access Controls for the Automated\n                                    Insolvency System Need Improvement\n\n\n\nmanagers approved their access privileges in the OL5081 form. Because the access privileges\nare not approved and documented in the OL5081 system, the managers cannot validate the\nappropriateness of employees\xe2\x80\x99 AIS privileges during the annual OL5081 recertification.\nWe interviewed 11 Insolvency program managers to discuss their responsibilities during the\nannual OL5081 recertification process. Ten of the 11 managers were unaware of the\nrequirement to validate their privilege authorizations during the recertification process. The\nmanagers review employees\xe2\x80\x99 OL5081 forms only to determine whether the employee still needs\na general level of access.\nWe found the same lack of control in our Fiscal Year 2009 review of access controls for the\nAutomated Collection System.8 In that review, we found none of the managers review the\nOL5081 system to determine the appropriateness of the employees\xe2\x80\x99 access privileges and were\nunaware of this requirement. In addition, we reported the OL5081 system was not designed with\nthe functionality needed to facilitate managers\xe2\x80\x99 review of employees\xe2\x80\x99 access privileges. For\nexample, during the annual OL5081 recertification process, the special instructions section of the\nOL5081 system is not accessible from the recertification screens displayed on managers\xe2\x80\x99\ncomputers.\nRather than use the OL5081 system to approve users\xe2\x80\x99 privileges, the managers allow other\nemployees with user administrator rights to enable system privileges that these other employees\ndeem appropriate. For example, the Senior Technical Analyst in the Centralized Insolvency\nOperation office, who has user administrator privileges, assigns AIS privileges for Centralized\nInsolvency Operation office employees based on his knowledge of their duties and what he\nthinks the employees need. A manager in the Dallas Field Insolvency office, who has user\nadministrator rights, also stated that if an employee gets promoted and needs elevated privileges,\nhe is notified in staff meetings or is verbally informed. The manager then changes the\nemployee\xe2\x80\x99s privileges in the AIS. In these instances, the manager does not document his or her\napproval for the privileges in the special instructions section of the OL5081 system. When\nmanagers do not properly approve and periodically check the appropriateness of their\nemployees\xe2\x80\x99 access privileges, the risks of unauthorized access to taxpayers\xe2\x80\x99 data is increased.\nIn our report on the Automated Collection System, we recommended the Chief Technology\nOfficer make a top priority the identity access provisioning and management solution to enhance\nthe OL5081 system or replace it with a commercial off-the-shelf software product. We believe\nthis corrective action is critical to resolve the IRS\xe2\x80\x99s computer security material weakness on\naccess controls and will also improve access controls for the AIS. We will not repeat the\nrecommendation in this report.\n\n\n\n8\n Additional Security Controls Are Needed to Protect the Automated Collection System (Reference\nNumber 2010-20-028, dated March 30, 2010).\n                                                                                                 Page 14\n\x0c                                  Access Controls for the Automated\n                                Insolvency System Need Improvement\n\n\n\nRecommendation\nRecommendation 5: The Directors, Collection Policy, Campus Filing and Payment\nCompliance, and Advisory, Insolvency, and Quality, SB/SE Division, should issue a\nmemorandum to managers emphasizing the requirement to use the OL5081 system to authorize,\nrevoke, and review employees\xe2\x80\x99 AIS access authorizations, including employees\xe2\x80\x99 access\nprivileges. The memorandum should instruct managers to verify during the annual OL5081\nrecertification process that their authorizations of employees\xe2\x80\x99 access privileges are appropriate\nand documented in the OL5081 system.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Directors, Collection Policy, Campus Filing and Payment Compliance, and Advisory,\n       Insolvency, and Quality, SB/SE Division, will issue a memorandum to their managers to\n       emphasize the requirements to use the OL5081 system to authorize, revoke, and review\n       employees\xe2\x80\x99 AIS access authorization, including employees\xe2\x80\x99 access privileges. Managers\n       will be instructed to verify during the annual OL5081 recertification process that their\n       authorizations of employees\xe2\x80\x99 access privileges are appropriate.\n\nSignificant Automated Insolvency System Actions Taken on\nBankruptcy Cases Are Not Logged and Reported in the Manager\nReview Screen\nThe AIS Manager Review screen displays most of the actions employees perform on bankruptcy\ncases. This screen provides audit trail information and allows managers to review employees\xe2\x80\x99\nspecific actions. However, we identified five AIS input screens that allow employees to perform\nsignificant actions on a case that are not reported in the Manager Review screen. Users could\nalter case information using these five input screens without detection. Managers and\ntroubleshooters cannot determine who made a specific change to a case when employees use the\nfollowing five input screens:\n   \xe2\x80\xa2   The Proof of Claim screen displays and allows changes to the Proof of Claim information\n       that the IRS filed with the bankruptcy court. This screen could be used to fictitiously\n       indicate the IRS filed a Proof of Claim when, in fact, the IRS did not file with the court.\n   \xe2\x80\xa2   The Letter screen is used to generate letters relating to bankruptcy actions and could be\n       used by a malicious user to send incorrect or unwarranted letters to taxpayers causing\n       confusion or undue stress on the taxpayer.\n   \xe2\x80\xa2   The Payment Plan screen allows users to alter information related to taxpayer payments\n       scheduled or received. A user could manipulate or change the data to show payments\n       were received or never received.\n\n\n                                                                                          Page 15\n\x0c                                          Access Controls for the Automated\n                                        Insolvency System Need Improvement\n\n\n\n      \xe2\x80\xa2    The Attorney/Trustee Information screen could be used to alter the name, address, or\n           other personal data regarding a bankruptcy attorney or trustee. This modification would\n           affect all cases associated with the attorney or trustee.\n      \xe2\x80\xa2    The Refund screen, Request for IDRS9 Generated Refund (IGR) (Form 5792),\n           information could be maliciously altered to adjust information pertaining to posting a\n           manual refund.\nIRS procedures require computer systems be configured to provide audit trail tools that allow\nmanagers to hold employees accountable for their actions on computer systems. Audit trails\nshould be enabled to monitor and log user activities such as editing and deleting records or data.\nThe Applications Development office informed us that the SB/SE Division\xe2\x80\x99s Collection function\ndid not request the changes made to a case using the above five screens be reported in the\nManager Review screen. Therefore, this audit trail capability was not configured for the AIS.\nThe risk of employees taking unauthorized actions without being detected, using these five\nscreens, is further increased due to the lack of AIS database audit trail review. The MITS\norganization Cybersecurity office informed us that the database audit trails for the AIS are not\nbeing reviewed by the Security Auditing and Analysis System.\n\nRecommendation\nRecommendation 6: The Director, Collection Policy, SB/SE Division, should submit a work\nrequest to the Associate Chief Information Officer, Applications Development, requesting the\nAIS be configured to report users\xe2\x80\x99 changes to cases using the Proof of Claim, Letter, Payment\nPlan, Attorney/Trustee Information, and Refund screens. Use of these five screens should be\nreported in the AIS Manager Review screen to provide an audit trail of actions AIS users\nperformed on the bankruptcy cases.\n           Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. A work\n           request will be submitted to report users\xe2\x80\x99 changes to cases using the Proof of Claim,\n           Letter, Payment Plan, Attorney/Trustee Information, and Refund screens. These changes\n           will be captured in the AIS Manager Review screen and a Support Table Review screen\n           to provide an audit trail.\n\n\n\n\n9\n    Integrated Data Retrieval System.\n                                                                                             Page 16\n\x0c                                 Access Controls for the Automated\n                               Insolvency System Need Improvement\n\n\n\n                                                                                  Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nOur overall objective was to determine whether the IRS has implemented access controls for the\nAIS to protect taxpayers\xe2\x80\x99 personal data and to ensure the Government\xe2\x80\x99s interest is protected\nwhen taxpayers file for bankruptcy. To accomplish this objective, we:\nI.     Determined whether key access controls are operating effectively to limit access to the\n       AIS.\n       A. Determined whether controls limit access to only authorized users performing\n          assigned duties. We determined whether users were authorized to have an access\n          account and whether the users were authorized to have their system privileges.\n          1. Obtained a download of the user account control list for the AIS as of\n             May 8, 2010. We determined the access level of the employees on the AIS user\n             account control list.\n          2. Determined whether users\xe2\x80\x99 access privileges were approved by the user\xe2\x80\x99s\n             manager by reviewing the Online 5081 (OL5081) for a judgmental sample of\n             34 different users. A judgmental sample was used because we wanted to\n             determine whether a control weakness existed and we believed this sample size\n             was sufficient to make that evaluation. Also, we did not intend to project the\n             sample results to the population. These users worked in the Dallas, Texas, and\n             Oakland and San Jose, California, Insolvency offices; Centralized Insolvency\n             Operation office in the Philadelphia, Pennsylvania, Campus; and applications\n             developers in various offices around the Nation. There were a total of 534 users\n             in these offices. We also reviewed the OL5081 to determine whether the\n             managers approved (recertified) the access privileges within the last 12 months\n             and whether the users\xe2\x80\x99 privileges were reviewed annually by the users\xe2\x80\x99 managers.\n          3. For users without an OL5081 record and users with potentially excessive or\n             unauthorized privileges, interviewed the users\xe2\x80\x99 managers to determine reasons for\n             the specific privileges.\n          4. Determined whether users\xe2\x80\x99 roles and responsibilities were aligned with their\n             access privileges on the AIS according to the concept of \xe2\x80\x9cleast privilege.\xe2\x80\x9d\n          5. Interviewed managers in the Centralized Insolvency Operation office and in the\n             Field Insolvency offices to identify employees that have separated within the last\n             12 months.\n\n\n                                                                                         Page 17\n\x0c                                Access Controls for the Automated\n                              Insolvency System Need Improvement\n\n\n\n         6. Interviewed Applications Development office personnel to determine whether\n            users\xe2\x80\x99 access levels on the AIS can be altered to better align with users\xe2\x80\x99 roles.\n      B. Determined whether the logins and passwords of inactive users are inactivated on the\n         AIS. The AIS system administrator informed us that users\xe2\x80\x99 accounts cannot be\n         deleted from the system if the user worked on a case maintained in the system.\n         Instead, the users are deactivated and their login and password are deleted. We\n         selected 106 of the 967 inactive users \xe2\x80\x93 the 6 employees that separated from the\n         Texas Insolvency offices and Oakland/San Jose Insolvency offices during the\n         12 months prior to our audit, and the 73 Centralized Insolvency Operation office\n         employees and 27 other users randomly selected from the AIS inactive list. We\n         randomly picked these 100 users (73 + 27) to ensure each user had an equal chance of\n         being selected. We also compared the AIS active users (1,526 users) from the AIS\n         user account control list to the OL5081 system to determine whether active users\n         were properly authorized using the OL5081 system.\n      C. Determined whether duties were adequately separated to limit conflicts of interest\n         among key personnel.\n      D. Determined whether the system automatically locks out a user after three\n         unsuccessful logon attempts.\n      E. Determined whether AIS passwords comply with IRS password complexity\n         requirements.\n      F. Determined whether the AIS displays the required banner to warn unauthorized\n         individuals that the system and its information are for authorized users only.\n      G. Determined whether access controls for users directly accessing the Oracle 10g\n         database are adequate and access privileges are aligned with assigned roles and\n         responsibilities. Reviewed user profiles, accounts, roles, and privileges.\nII.   Evaluated the case controls that the Centralized Insolvency Operation office implemented\n      to process ENS records received from United States Bankruptcy Courts.\n      A. Determined whether managers review employees\xe2\x80\x99 ENS deletion actions and\n         document their approval.\n         1. Requested the Audit Delete Reports for the months of June, August, October, and\n            December 2009 and February 2010 and determined whether the appropriate\n            managers signed and dated the reports to document their review and approval.\n         2. Interviewed managers to determine if cases were deleted for reasons other than\n            duplication and whether they found any improper notice deletions or other case\n            processing problems since the new Audit Delete Report procedure was\n            implemented.\n\n                                                                                         Page 18\n\x0c                                  Access Controls for the Automated\n                                Insolvency System Need Improvement\n\n\n\n           3. Selected a statistical random sample of deleted notices from the Audit Delete\n              Reports and determined whether the bankruptcy notices were improperly deleted\n              by IRS employees. We selected three Audit Delete reports that were generated\n              during February 2010. The 3 reports listed a total of 910 deleted ENS bankruptcy\n              notices. Our sample of 30 was based on a 5 percent precision rate, 2 percent\n              expected error rate, and a 95 percent confidence level. We expanded our sample\n              to include the Audit Delete Reports for June, August, October, and December\n              2009 to cover the 9-month period prior to our audit. A total of 7,234 ENS notice\n              deletions were listed on these Audit Delete reports. Our second sample of\n              66 notices was based on a 4 percent precision rate, 2 percent expected error rate,\n              and a 98 percent confidence level. Combined with the first sample, we tested a\n              total 96 deleted notices.\n       B. Determined whether controls can be improved to prohibit unauthorized deletion of\n          ENS bankruptcy notices by interviewing AIS Applications Development office\n          officials and evaluating the feasibility of limiting the notice deletion privilege to the\n          lead technicians in the Centralized Insolvency Operation office\xe2\x80\x99s Automated\n          Processing Control function.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: access controls for the AIS and case\ncontrols that the Centralized Insolvency Operation office implemented to process ENS records\nreceived from United States Bankruptcy Courts.\n\n\n\n\n                                                                                             Page 19\n\x0c                                Access Controls for the Automated\n                              Insolvency System Need Improvement\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nW. Allen Gray, Audit Manager\nCari Fogle, Lead Auditor\nMidori Ohno, Senior Auditor\nJennifer Clewis, Auditor\nFrank O\xe2\x80\x99Connor, Auditor\nMonique Queen, Information Technology Specialist\n\n\n\n\n                                                                                     Page 20\n\x0c                               Access Controls for the Automated\n                             Insolvency System Need Improvement\n\n\n\n                                                                          Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Services and Enforcement SE\nAssociate Chief Information Officer, Applications Development OS:CTO:AD\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nDirector, Advisory, Insolvency, and Quality, Small Business/Self-Employed Division\nSE:S:C:AIQ\nDirector, Campus Filing and Payment Compliance, Small Business/Self-Employed Division\nSE:S:CCS:FPC\nDirector, Collection Policy, Small Business/Self-Employed Division SE:S C:CP\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Commissioner, Small Business/Self-Employed Division SE:S\n       Chief, Office of Appeals AP\n       Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                  Page 21\n\x0c                                 Access Controls for the Automated\n                               Insolvency System Need Improvement\n\n\n\n                                                                                Appendix IV\n\n                             Excessive Privileges\n\nThe inadequate role-based access control scheme that the IRS developed for the AIS caused\nmanagers to inadvertently grant unneeded, excessive privileges to users. The following six\nexamples are in addition to the four examples provided in the body of the report beginning on\npage 9.\n\n    Job Function         Assigned Duties/Access Level              Excessive Privileges\n                           and Privileges Granted\n Planning and           Review case work done by           Update and delete case information,\n Analysis Quality       employees. (Access Level 2)        Case Assignment Guide, bulk\n Analyst, Campus                                           processes, and delete ENS notices.\n                        View the Manager Review\n Compliance             screen to identify actions taken   Manager privileges allow user to\n Services               by employees. (Manager             change attorney/trustee data and\n                        privileges)                        employee data, perform bulk case\n                                                           assignments, and view Manager\n                                                           reports.\n Field Insolvency       Update bankruptcy cases and file Delete ENS notices.\n Bankruptcy             the Proof of Claim. (Access\n Specialist             Level 2)\n Field Insolvency       Query AIS cases regarding          Change and delete case\n Secretary              requests from attorneys and        information, delete ENS notices,\n                        taxpayers and perform bulk         Case Assignment Guide, and the\n                        printing, such as printing         Payments screen.\n                        taxpayer notices and letters.      Manager privileges allow user to\n                        (Access Level 2)                   change attorney/trustee data and\n                        Some secretaries print Manager     employee data, perform bulk case\n                        reports. (Manager privileges)      assignments, and view the Manager\n                                                           Review screen.\n\n\n\n\n                                                                                          Page 22\n\x0c                           Access Controls for the Automated\n                         Insolvency System Need Improvement\n\n\n\n\n   Job Function    Assigned Duties/Access Level              Excessive Privileges\n                     and Privileges Granted\nNon-Insolvency    Need read-only access to view       Update and delete case information,\nUser              case status, and sign off on case   view and generate reports, assign or\n                  history. (Access Level 1, 2,        reassign cases to employees, and\n                  or 3)                               perform bulk processes. Users with\n                                                      Access Level 1 or 2 can delete ENS\n                                                      notices.\nApplication       Diagnose problems related to the    User Administrator privileges allow\nDeveloper         interfaces between the AIS and      user to add users, create passwords,\n                  other systems.                      and assign privileges.\n                  (Developer privileges)\nTroubleshooter    View case information to help       Update and delete case information\n                  users with their AIS problems.      and ENS notices, and perform bulk\n                  (Access Level 1, Manager,           processes. Manager privileges\n                  Analyst, and User Administrator     allow user to perform bulk case\n                  privileges)                         assignments. User Administrator\n                                                      privileges allow user to create new\n                                                      users, create passwords, and assign\n                                                      privileges.\n\n\n\n\n                                                                                    Page 23\n\x0c                                 Access Controls for the Automated\n                               Insolvency System Need Improvement\n\n\n\n                                                                               Appendix V\n\n\n                               Glossary of Terms\n\n            Term                                          Definition\nAutomated Collection System     A telephone contact system through which telephone assistors\n                                collect unpaid taxes and secure tax returns from delinquent\n                                taxpayers who have not complied with previous notices.\nCampus                          The data processing arm of the IRS. The campuses process\n                                paper and electronic submissions, correct errors, and forward\n                                data to the Computing Centers for analysis and posting to\n                                taxpayer accounts.\nComputing Center                IRS Computing Centers support tax processing and\n                                information management through a data processing and\n                                telecommunications infrastructure.\nConcept of \xe2\x80\x9cleast privilege\xe2\x80\x9d    A key internal control concept and IRS requirement. The\n                                intent to minimize employees\xe2\x80\x99 system access privileges to the\n                                minimum needed to perform assigned duties.\nConfiguration Control           The management of security features and assurances through\n                                control of changes made to hardware and software throughout\n                                the life cycle of a computer system.\nIntegrated Data Retrieval       A major IRS application consisting of databases and operating\nSystem                          systems that support IRS employees working active tax cases\n                                within each business function across the IRS. This system\n                                allows employees to post transaction updates to the IRS\n                                master files.\nInformix                        Informix is a relational database management system\n                                developed by the International Business Machines\n                                Corporation and is used for online transaction processing.\n\n\n\n\n                                                                                       Page 24\n\x0c                              Access Controls for the Automated\n                            Insolvency System Need Improvement\n\n\n\n\n              Term                                     Definition\nOnline 5081 System           Virtually every customer within the IRS must utilize the IRS\n                             Form 5081, Information System User Registration/Change\n                             Request, to request access to information systems and\n                             applications. The OL5081 system replaces the paper\n                             Information System User Registration/Change Request\n                             (Form 5081) with an automated, standard process. It provides\n                             automated submission, approval, recertification, and filing of\n                             the Form 5081 on an enterprise-wide basis.\nOracle                       The Oracle Database is a relational database management\n                             system produced by the Oracle Corporation.\nProof of Claim               An official form filed with a Bankruptcy court describing the\n                             reason a debtor owes creditor money, which typically sets\n                             forth the amount of money owed.\nRole-Based Access Control    A security approach to restricting employees\xe2\x80\x99 access to\n                             computer systems. System roles are created for an\n                             organization\xe2\x80\x99s various job functions. The minimum privileges\n                             needed to perform the job functions are assigned to the roles.\n                             The role is then assigned to a system user.\nSecurity Auditing and        The Security Audit and Analysis System implements a data\nAnalysis System              warehousing solution to provide online analytical processing\n                             of audit trail data.\nSeparation of Duties         A key internal control concept. The objective is for\n                             management to assign duties and implement checks and\n                             balances upon the activities of employees to prevent errors and\n                             fraud. For example, organizations separate the duties of\n                             receiving customers\xe2\x80\x99 checks and approving account write-offs,\n                             and depositing cash and reconciling bank statements.\nTransmittal                  The purpose of a Transmittal is to either document changes to\n                             an operating system or database (whether it is a configuration\n                             change or a patch) or to initiate action by field personnel\n                             (usually a systems administrator) for applying patches, making\n                             required configuration changes, and installing software.\n\n\n\n\n                                                                                    Page 25\n\x0c             Access Controls for the Automated\n           Insolvency System Need Improvement\n\n\n\n                                                 Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                      Page 26\n\x0c  Access Controls for the Automated\nInsolvency System Need Improvement\n\n\n\n\n                                      Page 27\n\x0c  Access Controls for the Automated\nInsolvency System Need Improvement\n\n\n\n\n                                      Page 28\n\x0c  Access Controls for the Automated\nInsolvency System Need Improvement\n\n\n\n\n                                      Page 29\n\x0c  Access Controls for the Automated\nInsolvency System Need Improvement\n\n\n\n\n                                      Page 30\n\x0c  Access Controls for the Automated\nInsolvency System Need Improvement\n\n\n\n\n                                      Page 31\n\x0c  Access Controls for the Automated\nInsolvency System Need Improvement\n\n\n\n\n                                      Page 32\n\x0c'